Security Question.
Posted: Wed May 27, 2009 9:34 am
How valnurable is L2J in injections? ( I know use search but it doesnt allow me to search for some reason.)
I use Unix based OS for my server.
I use Unix based OS for my server.
Page 1 of 1
Re: Security Question.
Posted: Wed May 27, 2009 9:59 am
java code uses prepared statements, and these should be fine. most sql injections can come from a (bad) web based account manager system.
Re: Security Question.
Posted: Wed May 27, 2009 10:59 am
sql injections no work in l2j i test before 2 weaks but work for stupid MU 
mysql > microsoft sql
mysql > microsoft sql
Re: Security Question.
Posted: Wed May 27, 2009 8:22 pm
Be sure tu use a good coded account mananger and if you use a statistic system be sure also that its properly secured, L2j as default is highly secure but it can be compromised due lame php scripts running on your site.
Re: Security Question.
Posted: Thu May 28, 2009 3:17 am
Thanks for your replies.
Re: Security Question.
Posted: Thu May 28, 2009 3:45 pm
SQL injection comes from badly escaped parameters in SQL request. L2J uses prepared statement which should remove the problem.
Compare :
And
In the first call, you may have something like
which would execute as 3 SQL requests :
With the prepared statement, the whole string will be taken as parameter, with the ' chars understood as the ascii character and not as the string delimiter.
Compare :
Code: Select all
rs=stm.executeQuery("SELECT * FROM XYZ WHERE aaa=''+data+"'");Code: Select all
stm=db.prepareStatement("SELECT * FROM XYZ WHERE aaa= ?");stm.setString(1,data);rs=stm.executeQuery();Code: Select all
zzz'; INSERT INTO XXX(bbb,ccc) VALUES(1,2); SELECT * FROM XYZ WHERE aaa='yyyCode: Select all
SELECT * FROM XYZ WHERE aaa='zzz';INSERT INTO XXX(bbb,ccc)VALUES(1,2);SELECT * FROM XYZ WHERE aaa='yyy'